Many security tools — including some of the tools in this chapter — aren’t designed for Windows Server 2003 and newer operating systems but work with them. However, the program documentation sometimes isn’t updated to reflect its compatibility. The most recent version of each tool in this chapter is compatible with Windows NT, 2000, and Server 2003. The more security tools and other power user applications you install in Windows — especially programs that tie into the network drivers and TCP/IP stack — the more unstable Windows becomes. I’m talking about slow perfor- mance, blue screens of death, and general instability issues. Unfortunately, often the only fix is to reinstall Windows and all your applications. I’ve had to rebuild my system once during the writing of this book and a total of three times in the past year. Ah, the memories of those DOS and Windows 3.x days when things were much simpler! Essential tools Every Windows security tester needs these special tools: ߜ Nmap ( www.insecure.org) for UDP and other types of port scanning Nmap is an excellent tool for OS fingerprinting. ߜ Vision ( www.foundstone.com) for mapping applications to TCP/UDP ports Free Microsoft tools You can use the following Windows programs and free security tools that Microsoft provides to test your systems for various security weaknesses. ߜ Built-in Windows programs (Windows 9x and later versions) for NetBIOS and TCP/UDP service enumeration: • nbtstat for gathering NetBIOS name table information • netstat for displaying open ports on the local Windows system • net for running various network based commands including view- ing of shares on remote Windows systems ߜ Microsoft Baseline Security Analyzer www.microsoft.com/technet/ security/tools/mbsahome.asp for testing for missing patches and basic Windows security settings. 169 Chapter 11: Windows 17 55784x Ch11.qxd 3/29/04 4:19 PM Page 169 ߜ Windows Resource Kits (including some tools that are free for download at www.microsoft.com) for security and OS management. You can get specific details about Resource Kit books published by Microsoft Press at www.microsoft.com/learning. All-in-one assessment tools The following tools perform a wide variety of security tests including ߜ Port scanning ߜ OS fingerprinting ߜ Basic password cracking ߜ Detailed vulnerability mappings of the various security weaknesses the tools find on your Windows systems I recommend any of these comprehensive sets of tools: ߜ LANguard Network Security Scanner ( www.gfi.com) ߜ QualysGuard ( www.qualys.com) QualysGuard has very detailed and accurate vulnerability testing. ߜ Nessus ( www.nessus.org) Task-specific tools The following tools perform one or two specific tasks. These tools provide detailed security assessments of your Windows systems and insight that you may not otherwise get from all-in-one assessment tools: ߜ SuperScan ( www.foundstone.com) for TCP port scanning and ping sweeps. ߜ A tool for enumerating Windows security settings. Given the enhanced security of Windows Server 2003, these tools can’t connect and enumer- ate a default install of Windows Server 2003 system like a Windows 2000 or NT system — but you can use these tools nonetheless. It’s a good idea to test for vulnerable “non-default” configurations in case the secure default settings have been changed. To gather such information as security policies, local user accounts, and shares, your decision may be based on your preferred interface: 170 Part IV: Operating System Hacking 17 55784x Ch11.qxd 3/29/04 4:19 PM Page 170 • Winfo (www.ntsecurity.nu/toolbox/winfo) runs from the Windows command line. • DumpSec ( www.somarsoft.com) runs from a graphical Windows interface. • Walksam ( razor.bindview.com/tools/files/rpctools-1.0. zip ) runs from the Windows command line. If you’re scanning a network only for Windows shares, consider Legion ( packetstormsecurity.nl/groups/rhino9/legionv21.zip). ߜ Rpcdump ( razor.bindview.com/tools/files/rpctools-1.0.zip) for enumerating RPC ports to search for running applications. ߜ Network Users ( www.optimumx.com/download/netusers.zip) for gathering Windows login information. Information Gathering When you assess Windows vulnerabilities, start by scanning your computers to see what the bad guys can see. The hacks in this chapter are against the versions of the Windows Server OS (NT, 2000, and Server 2003) from inside a firewall. Unless I point out otherwise, all the tests in this chapter can be run against all versions of the Windows server OS. The attacks in this chapter are significant enough to warrant test- ing for regardless of your current setup. Your results may vary from mine depending on these factors: ߜ OS versions ߜ Security measures, such as patch levels and access controls (such as firewall policies and local Windows security policies) System scanning A few straightforward processes can identify weaknesses. Other steps can minimize your vulnerability. Testing Start gathering information about your Windows systems by running an ini- tial port scan: 171 Chapter 11: Windows 17 55784x Ch11.qxd 3/29/04 4:19 PM Page 171 1. Run basic scans to find which ports are open on each Windows system: • Scan for TCP ports with a port scanning tool, such as SuperScan or Nmap. • Scan for UDP ports with a port scanning tool, such as Nmap. 2. Perform OS enumeration (such as scanning for shares and specific OS versions) by using an all-in-one assessment tool, such as LANguard Network Security Scanner. 3. Scan your Windows systems for open ports that could point to poten- tial security vulnerabilities. The tool you use depends on whether you need a basic summary of vul- nerable ports or a comprehensive system report: • If you need a basic summary of open ports, scan your Windows systems with SuperScan. The SuperScan results in Figure 11-1 show several potentially vul- nerable ports open on a Windows Server 2003 system, including those for SMTP (port 25), a Web server (port 80), RPC (port 135), and the ever popular — and easily hacked — NetBIOS (ports 139 and 445). • If you need a comprehensive system report, scan your Windows systems with LANguard Network Security Scanner. In Figure 11-2, LANguard shows the server version (identified as Windows XP initially and then later as Windows 2003), the system’s current date and time setting and system uptime, and the server’s domain (PL). Figure 11-1: Scanning a Windows Server 2003 system with SuperScan. 172 Part IV: Operating System Hacking 17 55784x Ch11.qxd 3/29/04 4:19 PM Page 172 4. You can run Nmap with the -O option to confirm the OS characteris- tics — the version information referred to as the OS fingerprint — that you found with your scanning tool, as shown in Figure 11-3. A hacker can use this information to determine potential vulnerabilities for your system. Make sure you’ve applied the latest patches and system hardening best practices. In Figure 11-3, Nmap reports the OS version as Windows .NET Enterprise Server — the original name of Windows Server 2003. Countermeasures You can prevent a hacker from gathering certain information about your Windows systems by implementing the proper security settings on your net- work and on the Windows hosts themselves. Figure 11-3: Using Nmap to determine the Windows version. Figure 11-2: Gathering system details with LANguard Network Security Scanner. 173 Chapter 11: Windows 17 55784x Ch11.qxd 3/29/04 4:19 PM Page 173 Information If you don’t want anyone gathering information about your Windows systems, you have two options: ߜ Protect Windows with either of these countermeasures: • A firewall that blocks the Windows-specific ports for RPC (port 135) and NetBIOS (ports 137–139 and 445) • An intrusion prevention system, such as the host-based BlackICE software ߜ Disable unnecessary services so that they don’t appear when a connec- tion is made Fingerprinting You can prevent OS fingerprinting tests by either ߜ Using a host-based intrusion prevention system ߜ Denying all inbound traffic with a firewall — this just may not be practi- cal for your needs NetBIOS You can gather Windows information by poking around with NetBIOS (Network Basic Input/Output System) functions and programs. NetBIOS allows applications to make networking calls and communicate with other hosts within a LAN. These Windows NetBIOS ports can be compromised if they’re not properly secured: ߜ UDP ports for network browsing: • Port 137 (NetBIOS name services) • Port 138 (NetBIOS datagram services) ߜ TCP ports for Server Message Block (SMB): • Port 139 (NetBIOS session services) • Port 445 (runs SMB over TCP/IP without NetBIOS) Windows NT doesn’t support port 445. 174 Part IV: Operating System Hacking 17 55784x Ch11.qxd 3/29/04 4:19 PM Page 174 Hacks The following hacks can be carried out on unprotected systems running NetBIOS. Unauthenticated enumeration When you’re performing your unauthenticated tests, you can gather configu- ration information about the local or remote systems with either ߜ All-in-one assessment tools, such as LANguard Network Security Scanner. ߜ The nbtstat program that’s built into Windows (nbtstat stands for NetBIOS over TCP/IP Statistics). Figure 11-4 shows information that you can gather from a Windows Server 2003 system with a simple nbtstat query. nbtstat shows the remote computer’s NetBIOS name table, which you gather by using the nbtstat -A command. This displays the following information: ߜ Computer name ߜ Domain name ߜ Computer’s MAC address You may even be able to glean the ID of the currently logged user from a Windows NT or Windows 2000 server. A GUI utility such as LANguard Network Security Scanner isn’t necessary to gather this basic information from a Windows system. The graphical interface offered by commercial software such as this just presents its findings in a prettier fashion! Figure 11-4: Using nbtstat to gather critical Windows information. 175 Chapter 11: Windows 17 55784x Ch11.qxd 3/29/04 4:19 PM Page 175 Shares Windows uses network shares to share out certain folders or drives on the system so other users can access them across the network. Shares are easy to set up and work very well. However, they’re often misconfigured, allowing hackers and other unauthorized users to access information they shouldn’t be able to get to. You can search for Windows network shares by using the Legion tool. This tool scans an entire range of IP addresses looking for Windows shares. It uses the SMB protocol (TCP port 139) to discover these shares and displays them in a nice graphical fashion sorted by IP address, as shown in Figure 11-5. The shares displayed in Figure 11-5 are just what hackers are looking for — especially because the share names give hackers a hint at what type of files might be available if they connect to the shares. After hackers discover these shares, they’re likely to dig a little further to see if they can browse the files and more within the shares. I cover shares in more detail in the “Share Permissions” section, later in this chapter. Countermeasures You can implement the following security countermeasures to minimize NetBIOS attacks on your Windows systems. Limit traffic You can protect your Windows systems from NetBIOS attacks by using some basic network infrastructure protection systems as well as some general Windows security best practices: Figure 11-5: Using Legion to scan your network for Windows shares. 176 Part IV: Operating System Hacking 17 55784x Ch11.qxd 3/29/04 4:19 PM Page 176 ߜ If possible, the best way to protect Windows-based systems from NetBIOS attacks is to put them behind a firewall. A firewall isn’t always effective. If the attack comes from inside the net- work, a network-perimeter-based firewall won’t help. ߜ If a perimeter-based firewall won’t suffice, you can protect your Windows hosts by either • Installing a personal firewall such as BlackICE This is the simplest and most secure method of protecting a Windows system from NetBIOS attacks. • Disabling NetBIOS on your systems. This often requires disabling Windows file and printer sharing — which may not be practical in a network mixed with Windows 2000, NT, and even Windows 9x systems that rely on NetBIOS for file and printer sharing. Hidden shares — those with a dollar sign ($) appended to the end of the share name — don’t really help hide the share name. Hackers found out long ago that they can easily get around this form of security by obscurity by using the right methods and tools. Passwords If NetBIOS network shares are necessary, make strong passwords mandatory. With the proper tools, hackers can easily crack NetBIOS passwords across the network. NetBIOS passwords aren’t case sensitive, so they can be cracked more easily than case sensitive passwords that require both capital and small letters. Chapter 7 explains password security in detail. RPC Windows uses remote procedure call (RPC) and DCE internal protocols to ߜ Communicate with applications and other OSs. ߜ Execute code remotely over a network. RPC in Windows uses TCP port 135. RPC exploits can be carried out against a Windows host — perhaps the best- known being the Blaster worm that reared its ugly head after a flaw was found in the Windows RPC implementation. 177 Chapter 11: Windows 17 55784x Ch11.qxd 3/29/04 4:19 PM Page 177 Enumeration Hackers use RPC enumeration programs to see what’s running on the host. With that information, hackers can then penetrate the system further. Rpcdump is my favorite tool for enumerating RPC on Windows systems. Figure 11-6 shows the abbreviated output of Rpcdump run against a Windows 2000 server. Rpcdump found the RPC listeners for MS SQL Server and even a DHCP server running on this host — and this is a hardened Windows 2000 server with all the latest patches running BlackICE intrusion prevention software! Countermeasures The appropriate step to prevent RPC enumeration depends on whether your system has network-based applications, such as Microsoft SQL and Microsoft Outlook: ߜ Without network-based applications, the best countermeasure is a fire- wall that blocks access to RPC services (TCP port 135). This firewall may disable network-based applications. ߜ If you have network-based applications, one of these options can reduce the risk of RPC enumeration: • If highly critical systems such as Web or database servers need access only from trusted systems, give only trusted systems access to TCP port 135. • If your critical systems must be made accessible to the public, make sure your RPC-based applications are patched and config- ured to run as securely as possible. Don’t try to disable the RPC server within Windows with such “fixes” as Registry hacks. You may end up with a Windows server or applications that stop working on the network, forcing you to reinstall and reconfigure the system. Figure 11-6: Rpcdump shows RPC- based services. 178 Part IV: Operating System Hacking 17 55784x Ch11.qxd 3/29/04 4:19 PM Page 178 [...]... Part IV: Operating System Hacking This information can help you track who’s logging into a system for auditing purposes Unfortunately, this information can be useful for hackers when they’re trying to figure out what user IDs are available to crack They may even determine the system’s daily use if the user IDs are descriptive, such as backup (for a backup server) or devuser (for a development server)... Article 2 462 61 covers the caveats of using the high security setting for Restrict Anonymous It’s available on the Web at support.microsoft.com/default.aspx?scid=KB;en-us;2 462 61 Windows 2000 In Windows 2000, you don’t have to edit the Registry You can set local security policy in the Local Policies/Security Options of the Local Security Settings The security setting is called Additional Restrictions for Anonymous... you can ߜ Test for vulnerabilities and missing patches ߜ Deploy patches across the network to remote systems Figure 11- 16 shows the depth of information that this program can provide when scanning Windows systems for vulnerabilities and security settings This type of information is very helpful when testing your own systems — especially if you have a large or complex network This information is also... Windows 2000, XP, or Server 2003, run Windows Update from the Start menu ߜ For Windows NT, browse to windowsupdate.microsoft.com On that page, click Scan for Updates to check your system for any missing patches Microsoft has announced plans to stop providing updates for Windows NT You can’t assume that Windows Update will have patches for new security vulnerabilities discovered Microsoft Baseline Security... output of a Windows NT server, but you can glean the same information from a Windows 2000 server: Winfo 2.0 - copyright (c) 1999-2003, Arne Vidstrom - http://www.ntsecurity.nu/toolbox/winfo/ SYSTEM INFORMATION: 181 182 Part IV: Operating System Hacking - OS version: 4.0 PASSWORD POLICY: - Time between end of logon time and forced logoff: No forced logoff - Maximum password age: 42 days - Minimum password... (www.foundstone.com) for ping sweeps and TCP port scanning ߜ Nmap (www.insecure.org) for OS fingerprinting and more detailed port scanning ߜ Windows-based LANguard Network Security Scanner (www.gfi.com) for port scanning, OS enumeration, and vulnerability testing ߜ THC-Amap (www.thc.org/releases.php) for application version mapping ߜ Tiger (ftp.debian.org/debian/pool/main/t/tiger) for automatically assessing... Security Auditing Tool (LSAT) (usat.sourceforge.net) for automatically assessing local-system security settings ߜ VLAD the Scanner (razor.bindview.com/tools/vlad) to test for the SANS Top 10 Security Vulnerabilities ߜ QualysGuard (www.qualys.com) for OS fingerprinting, port scanning, and very detailed and accurate vulnerability testing ߜ Nessus (www.nessus.org) for OS fingerprinting, port scanning, and... programs that run on a system and serve up various applications for users 195 1 96 Part IV: Operating System Hacking ߜ Internet services, such as the Apache Web server (httpd), telnet (telnetd), and FTP (ftpd), often give away too much information about the system, such as software versions, internal IP addresses, and usernames This information can allow a hacker to attack a known weakness in the system... 12 -6 outlines threats to the system in an informative graphic form that nontechie types — the ones to whom you may be showing the results — just love Chapter 12: Linux Figure 12 -6: Linux threats outlined in a QualysGuard scan Countermeasures Although you can’t completely prevent system scanning, you can still implement the following countermeasures to keep the bad guys from gleaning too much information... loading of daemons you don’t need Follow these steps: 1 Enter the following command at the command prompt: ps -aux The process ID (PID) for each daemon, including inetd, is listed on the screen In Figure 12-9, the PID for the sshd (Secure Shell) daemon is 64 6 2 Copy the PID for inetd from the screen on a notepad 3 Open /etc/inetd.conf in the Linux text editor vi by entering the following command: vi /etc/inetd.conf . systems for various security weaknesses. ߜ Built-in Windows programs (Windows 9x and later versions) for NetBIOS and TCP/UDP service enumeration: • nbtstat for gathering NetBIOS name table information •. www.microsoft.com/technet/ security/tools/mbsahome.asp for testing for missing patches and basic Windows security settings. 169 Chapter 11: Windows 17 55784x Ch11.qxd 3/29/04 4:19 PM Page 169 ߜ Windows Resource Kits (including. system: • Scan for TCP ports with a port scanning tool, such as SuperScan or Nmap. • Scan for UDP ports with a port scanning tool, such as Nmap. 2. Perform OS enumeration (such as scanning for shares